Stuxnet Attacks Used 4 Windows Zero-Day Exploits

abadnog writes "The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched. Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine. The malware also exploited two different elevation of privilege holes to gain complete control over the affected system."

Re:Zero Day?

[CannonballHead]

define: zero day
Pertaining to the day on which software is released; New; as yet unpatched

So it sounds like zero day means that it was present in the unpatched version?

That said, the summary says nothing about patched vs. unpatched. There would be a great outcry if a vulnerability in Linux/OSS was exploited, even though that vulnerability was already patched, and the summary failed to mention that the only reason it was exploited was because the system was NOT patched...

Re:Zero Day?

[TheRedDuke]

Just because MS releases a patch doesn't mean that users apply said patch.

All these vulnerabilities..

[simp]

All these neat day0 exploits wasted to get into an industrial control system. The numbers of those systems are only in the thousands, they could have taken control over millions of normal Windows PCs. Who-ever designed this must have been really determined to get data out of those Siemens controllers. Wouldn't it be easier just to bribe a local operator into getting the info?

Or did they want to create their own bot-net of Scada systems? Then you can brag that you can shutdown a country at the touch of a button.

Re:Zero Day?

[Anonymous Coward]

When you rely on security by obfuscation, yes, it does become easier when you take away the obfuscation. Best to not rely on that when it isn't reliable.

Re:Zero Day?

[NatasRevol]

It stops being called a zero-day vulnerability... once there's a patch out. Just because a patch is or isn't used doesn't change that.

Re:All these vulnerabilities..

[NatasRevol]

Seriously, why go to that level of trouble.

Especially when the passwords to the database are hardcoded:
http://www.wired.com/threatlevel/2010/07/siemens-scada/ [wired.com]

Re:All these vulnerabilities..

[antifoidulus]

This thing is able to inject code as well. Imagine how much a company could gain if it was able to inject difficult to detect faults in its competitors products. Imagine how many armies around the world would be salivating at the opportunity to, for a few thousand dollars, basically have an opportunity to render their opponents half-billion dollar jet useless. These attacks only work, however, if you are able to fly under the radar. If the authors would have attacked normal PCs the odds of the bug being discovered and fixed would be much greater than if they only target a very small subset of Windows computers.

Re:Zero Day?

[turbidostato]

"In the context of security, a zero-day vulnerability is a vulnerability for which no patch exists"

References?

I bet that a exploit against a known vulnerability is not a "zero-day" attack no matter if there's still no patch.

But I wouldn't be surprised if software companies, especifically closed source software companies tried to change it to mean "no patch still delivered" of "before our monthly patch Thursday" since "zero-day attack" seems to imply the software vendor really couldn't do any better: another PR trick.